I know that connecting to public WiFi carries risks. I know that much of the risk has to do with sending data over a public connection, allowing it to be intercepted.

So, my question is, do most or all Android apps use SSL or some other secure protocol? Is SSL forced via Android policy or technical limitations? Would I only have to worry about websites in my browser that use http?

If an app uses a secure connection, does that mean it is significantly safer to use on a public WiFi network? I know that people creating their own WiFi network or spoofing others is still a risk, but is there anything else?

2 Answers
2

There's nothing that forces the use of HTTPS for Android applications. Some data may not make sense to transfer over HTTPS, instead relying on other mechanisms (say, GPG key signature checks) to verify the data.

Your concern is very real. Most developers and users don't understand the benefits of using SSL and other forms of encryption.

You can guarantee encryption by using an SSH Tunnel, although it will only ensure the stream is encrypted to the exit point (which would be the server to which you're connected). This is good if you are simply trying to prevent your ISP from spying on you.

Another way would be to use TorProject's Orbot. This has the same idea in mind, except you will not be required to provide your own tunneling server and benefit from being able to change your exit point at will. Orbot also uses multiple proxies to help obfuscate your identity. Of course, you are encouraged to help participate and provide a relay if at all possible.

In order to have 100% stream encryption, neither of these options are fool-proof, but may help you in your endeavor.

This is why it is important (especially now) to use different passwords for different sites, as some sites/services won't provide the same level of security as another.

SSL on a public WiFi, while still much much more secure than non encrypted streams, does not provide 100% failsafe protection. Unfortunately, Root Certificate Authorities are vulnerable to hacks, and some (Trustwave) have even been caught issuing certificates to companies they knew were not the owners of the website SPECIFICALLY to allow said companies to spy on encrypted connections. It is also easy to strip SSL out in applications that do not require secure connections.

You do, however, have a few options that will provide you with stronger security.

You can use gpg to encrypt messages and data using your intended target's public key.

One pass encryption has the highest level of security for certain applications.

TLDR;

Your phone is insecure. It is up to you to decide what conveniences you need, and how they will impact your security. There are many practices in which you can become disciplined that will help minimize your risks, but at the end of the day it is your responsibility to safeguard what you deem private. I would be more worried about the data that each app you have installed is trying to offload to it's servers. Read through the 'Permissions' of each app you install before you download it, and decide if it really needs half of what it says it does.